Microsoft's MS05-019 and Raw Sockets

SA Security Bloggers

SensePost

Haroon Meer
link

Matt Erasmus
link

Andrew Mohawk

Junaid Loonat
link

Barry Irwin
link

Tom Wells

Allen Baranov
link

Jock Forrester
link

IT Security Pubcast
link

Telspace

ISGAfrica

Ralfe Poisson

How-To's
link Linux SSH Jail with pam_chroot
link Firefox Privacy & Security Extensions

Papers
link Managing Patching, my MSc Thesis
link Risk Analysis of Monthly Patch Schedules

Tools
link Automated Vodacom SMS (VodaSMS)
link RSS 2 SMS
link DShield Hack Detection

Neologisms
link Encryption principles
link Zoolander's Law

Syndicate This Blog

SSL

Certificate fingerprints:

SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89

HTTPS version.
You can find an explanation here.

License

Original content in this work is licensed under a Creative Commons License

Disclaimer

This blog and its contents are in no way affiliated with, or endorsed by my employer.

Random Entry: Caltex Key Fobs and a Chain Mail Security Alert
< Website Security with Petnames | Problems, Problems, Problems >

Tuesday, April 26. 2005

Microsoft's MS05-019 and Raw Sockets

It appears that Microsoft has disabled raw sockets completely when the new MS05-019 (kb, exploit) patch is applied. This originally only affected XP SP2 but now affects SP1. Windows 2003 is still unaffected. The quote from the SP2 page is:

Restricted traffic over raw sockets

A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

TCP data cannot be sent over raw sockets.
UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.

Thsi doesn't make sense to me or others (Fydor of nmap fame). First, I don't think disabling a useful feature to prevent it from being used maliciously is a good way to do things. Second, if the Windows TCP/IP stack wasn't broken this wouldn't be a particularly big problem. Finally, almost every other OS allows the use of raw sockets, which means that the 'malicious behaviour' they discuss can still be pursued. Then in a bizzarre twist, Microsoft allows W2K3 to still use raw sockets? I think they are hoping to reduce the amount of malicious traffic coming from unpatched home machines. If this is the case it would be nice if they could provide an optional 'allow raw sockets' patch.

Posted by Dominic White in Security at 10:46 | Comments (0) | Trackbacks (0)

Last modified on 2005-04-26 11:01

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	E-Mail addresses will not be displayed and will only be used for E-Mail notifications. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry